Cyber Security - Integrated enterprise approach required to address the multifaceted challenges

Sumit Puri, CIO, Max Healthcare

Sumit Puri, CIO, Max Healthcare

Data is the new oil in today’s hyper connected world and considering the increased mobility and significant volume of personal health information available with healthcare providers, it is imperative for the providers to have effective data security mechanisms in place.

As per a recent Global study by IBM Security and Ponemon Institute on cost of data breach in 2018, it was found that the average total cost of a data breach is becoming quite significant. The average cost for each lost or stolen record (per capita cost) and the average size of known data breaches, all increased above the 2017 report averages. The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent, the average cost for each lost record rose from $141 to $148, an increase of 4.8 percent and the average size of the data breaches increased by 2.2 percent.

With cybersecurity attacks growing at an increasing rate, and system vulnerabilities frequently being discovered, it is evident that healthcare cybersecurity threats are not going away. Unfortunately, there were several damaging data breaches in past few years in healthcare industry with the ransomware attack of WannaCry which brought down NHS hospital services in UK for several hours as a case in point. The recent proliferation of anonymous hackers and cryptocurrency coin miners are a stark reminder that not only is the volume of attacks increasing, their range is expanding and so is the risk of them significantly damaging healthcare delivery. Cybercriminals are applying their creative skills to breach defences through increasingly advanced and sophisticated attacks.

Security concerns over smart devices including internet connected hospital medical equipment have increased over the past few years. A case in point is former Vice president of US, Dick Cheney who revealed he'd been warned his defibrillator could be used to assassinate him with hackers trying to manipulate the same. And that's why Abbott (formerly St. Jude Medical) recalled some 350,000 implantable defibrillators in May 2018 to help protect patients from any assassination attempts or other cyber security issues. This follows a similar recall of 465,000 pacemakers done by Abbott in 2017 to upgrade their firmware and install security fixes.

As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities. According to a recent Ponemon Institute study, 80 percent of device-makers and healthcare delivery organizations rate the level of difficulty in securing medical devices as very high. Meanwhile, 67 percent of device manufacturers and 56 percent of healthcare organizations are expecting a security breach of a device over the next 12 months.

According to one 2018 study, device phishing attacks are up 85 percent, with the increasing amount of data collected by every site and app visited on your mobile device.

Presently, with advanced technology, a sophisticated hacker may hijack a healthcare supplier’s domain and direct traffic to another infected domain with some other spurious messages.

When an attacker attempts to directly compromise the software of a supplier, it is a particularly difficult attack to defend against. Once the software is infected, it is signed with the manufacturer's certificate, meaning any receiving systems checking for valid certificates may potentially become exposed. Attackers may also choose to target cloud-hosting services. Websites associated with the host may become infected and spread that infection to other organizations along the supply chain.

Because healthcare has such high exposure to third-party services and business partnerships, it faces a high degree of exposure to these kinds of attacks. There is growing recognition in the healthcare industry on the importance of protecting patient data which is the bedrock of enhancing trust and patient safety. In order to help and meet these significant challenges, healthcare organizations should view cybersecurity as a business risk rather than just a technical challenge and address security issues at the board level on a continual basis. This recognition signals a shift to a larger business level transformation with progressive organizations moving from a narrower, compliance and HIPAA focused approach to a more comprehensive enterprise level data security strategy.

The key steps to enable an integrated security strategy can be as follows–

1) Socialise the risks and inform users - As per most reports, while most large enterprises are fairly well covered on perimeter and network security, internal data breaches from employees are the weakest link in enterprise security. There is an ongoing need to educate employees across the organization to be cyber aware and provide training according to their roles and responsibilities. Online user-friendly modules on security aspects with annual enrolment of all employees shall be beneficial to help everyone understand the key dos and don’ts and socialise associated perils of potential cyber security breaches.

2) Hire right personnel and build integrated team with adequate business participation - Focus on hiring and retaining qualified IT security staff who can work with nominated representatives of key business functions to protect sensitive data. It is recommended to nominate a senior business or compliance representative as a Chief Data protection officer to ensure dedicated focus on potential data security risks. Within IT function, there is also a need to share security standards with suppliers and consider security implications when purchasing medical equipment, IT hardware, or software.

3) Monitor emerging security threats and buy necessary tools to protect the enterprise – It is imperative that ongoing security threats are monitored carefully and wherever necessary, requisite tools for data loss prevention, end point monitoring and encryption, advanced threat prevention etc. are procured to reduce organisational risk.

4) Strengthen data security policies and set up integrated Incident response team – In spite of best efforts from security team, there will be instances of occasional security breaches and /or zero day attacks. Hence it is important to form integrated incident management teams and strengthen cybersecurity incident response protocols with the data security team being empowered to seamlessly work with users, IT infrastructure and application vendor teams in a boundary less manner.

5) Set up Security Governance framework to assess and manage internal security preparedness – Unless we measure security aspects, it is difficult to manage the risks. It is therefore critical that IT teams speak business language to share potential security risks and scientifically compute ROI on IT security investments. It is also important to create an IT Security metrics framework with metrics on data patching status, anti-virus compliance, penetration and vulnerability threats especially for external internet facing sites, level of data breaches reported, coverage of internal employee awareness trainings, compliance status etc. These metrics should be reviewed at least monthly to drive better understanding of security preparedness, compliance and progress at an enterprise level.

Organizations that incorporate steps such as these into their overall cybersecurity frameworks shall be best positioned to successfully navigate the challenges that await. Some of these suggested practices will help facilitate a security culture and develop an agile, comprehensive and effective cybersecurity posture for the healthcare community.

In conclusion, it is essential to increase organisation wide awareness and raise the emerging security risks at board level, to remain vigilant and continue to layer new forms of cyber security protection to prevent your network from exposure to cybersecurity threats.